Tesco.com API will be adopting 'OAuth' standard.

OAuth, short for 'Open Authorization', is an open protocol to allow secure API authorisation in a simple and standard method from desktop and web applications.

Why is this good? Quite simply, customers will not have to give third party web sites their Tesco.com grocery login email address and password in order for that web site to have access to that customer's product range and basket. Instead, customers will give permission using a 'key' linked to their account. The key can be withdrawn at any time without the customer having to reset their password.

From the OAuth web site (http://www.oauth.com):"The OAuth protocol enables websites or applications (Consumers) to access Protected Resources from a web service (Service Provider) via an API, without requiring Users to disclose their Service Provider credentials to the Consumers. More generally, OAuth creates a freely-implementable and generic methodology for API authentication.".

OAuth will be built into phase 2 of the forthcoming beta version of the Tesco.com API over the coming months. Until then, third party web sites wishing to use the forthcoming beta Tesco.com API (due for release at the end of August) can continue to use the current authorisation method of requesting username and password.

We will need to make sure that using OAuth is as painless for the customer as possible but there are several very good implementations out there so I'm confident that we can find the right balance between security and ease of use.

Third party web sites should keep in touch with the Tesco API Innovation Forum at http://www.techfortesco.com/forum for more information about switching over to the OAuth mechanism.We will make sure that the implementation will require only a tiny change to third party web applications principally around use of the 'Login()' method (in the AccountClient class). Applications that call Login() get returned an instance of the Session class that is used as a token when calling all the other methods in the API for that customer. We'll make sure this behaves as it does today so you don't have to re-code your application beyond using Login() itself.

Client applications that are built for consumer devices can continue to use the current authorisation mechanism without having to make any changes to their applications and will not need to use OAuth (unless they wish to). This is because these apps will talk directly with the Tesco API and don't go via a third-party server.

We do reserve the right to provide new authorisation mechanisms and deprecate old methods as technology moves forward, but 'old and new' mechanisms will sit side-by-side for a while to give reasonable time for developers to update their sites to adopt the new service.

And if you didn't understand a word of this blog entry, relax;I'll return to my usual higher-level writing shortly!

7 comments:

Thats great stuff Nick thanks for listening to all the feedback, it will make our life much easier using this than having to try and convince our users why they should give us their tesco.com password.

BTW as far as I'm concerned I don't mind if you do break the API interface during the beta stages if it leads to a better API.

Nick:You won't be disappointed with the protocol. We went through a few months of research on how we should approach authentication for our API(http://developer.fellowshipone.com) and all paths pointed to OAuth.

By far, the community and the authors of the protocol have been more than supportive and we have found that it even supports multi-tenant, multi-user with multi-persona user models (with some extension)

So far all of our consumers have had very little difficulty with consumption, and they are using several different platforms (iPhone, PHP, Rails, .NET, etc...)

As this blog grows in readership - and because it carries the Tesco brand - I have had to become more careful about the sort of comments that are acceptable. The good news is that I'm a champion of free speech so please be as praising or as critical as you wish! The only comments I DON'T allow through are:

1. Comments which criticise an individual other than myself, or are critical of an organisation other than Tesco.This is simply because they cannot defend themselves so is unfair and possibly libellous. Comments about some aspect of Tesco being better/worse than another equivalent organisation are allowed as long as you start by saying "in my personal opinion.." or "I think that...". ... followed by a "...because.." and some reasoned argument.

2. Comments which are totally unrelated to the context of the original article.If I have written about a mobile app and you start complaining about the price of potatoes then your comment isn't going stay for long!

Tesco Groceries

About Nick Lansley

As one of several "founding father"s of Tesco.com, Nick Lansley built web and downloadable applications to enable wine and grocery home shopping on slow modem internet connections.
The first web application built 1996 for grocery and was opened by Tesco's Tim Mason and Bill Gates from Microsoft.
Nick then managed grocery web development through to 2000, then took on his research role to help to deliver a service better for customers - work that continues apace to this day!

Nick was recently appointed as an inaugural member of the UK's Mobile Commerce Joint Industry Committee (MCJIC), an industry initiative established to ensure that businesses are prepared for the opportunities and challenges that accompany the explosive growth in mobile commerce.

Important Reader Notice

Please note that any opinion expressed in this blog are the personal views of Nick Lansley, and not Tesco or Tesco.com (whether official or unofficial!).

It's important to understand this otherwise Nick would need to get endless sign-offs to approve any blog entry and the whole natural flow of this blog would fall apart.

Nick's views are his own and cannot be considered to reflect company sentiment.

Use of blog content

You are welcome to use any content in this blog - all text and media (including images) are my own copyright and you can use them in your own work without requesting my permission. The only two stipulations are that you:

Must mention this blog in "offline" publications or link to it from your online article, and

Never use this content to convey either myself or Tesco in what I regard as a negative manner (and yes I'm the final judge of that so ask if you're not sure!).